python:tests: let auth_log.py explicitly use --option=clientusekrb5netlogon=no

It also add some additional checks to make sure netlogon with AES was
used.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>

diff --git a/python/samba/tests/auth_log.py b/python/samba/tests/auth_log.py
index 9f301172902f48707026e56d7eed95de71d29134..46a321c66b9b342264e1c474783d9bc5a8e52c57 100755 (executable)
--- a/python/samba/tests/auth_log.py
+++ b/python/samba/tests/auth_log.py
@@ -24,7 +24,7 @@ import sys
 sys.path.insert(0, 'bin/python')
 
 import samba.tests
-from samba.dcerpc import srvsvc, dnsserver
+from samba.dcerpc import srvsvc, dnsserver, netlogon
 import os
 from samba.samba3 import libsmb_samba_internal as libsmb
 from samba.samba3 import param as s3param
@@ -45,6 +45,32 @@ import re
 
 
 class AuthLogTests(samba.tests.auth_log_base.AuthLogTestBase):
+    netlogon_aes_flags = (
+        netlogon.NETLOGON_NEG_ACCOUNT_LOCKOUT |
+        netlogon.NETLOGON_NEG_PERSISTENT_SAMREPL |
+        netlogon.NETLOGON_NEG_ARCFOUR |
+        netlogon.NETLOGON_NEG_PROMOTION_COUNT |
+        netlogon.NETLOGON_NEG_CHANGELOG_BDC |
+        netlogon.NETLOGON_NEG_FULL_SYNC_REPL |
+        netlogon.NETLOGON_NEG_MULTIPLE_SIDS |
+        netlogon.NETLOGON_NEG_REDO |
+        netlogon.NETLOGON_NEG_PASSWORD_CHANGE_REFUSAL |
+        netlogon.NETLOGON_NEG_SEND_PASSWORD_INFO_PDC |
+        netlogon.NETLOGON_NEG_GENERIC_PASSTHROUGH |
+        netlogon.NETLOGON_NEG_CONCURRENT_RPC |
+        netlogon.NETLOGON_NEG_AVOID_ACCOUNT_DB_REPL |
+        netlogon.NETLOGON_NEG_AVOID_SECURITYAUTH_DB_REPL |
+        netlogon.NETLOGON_NEG_STRONG_KEYS |
+        netlogon.NETLOGON_NEG_TRANSITIVE_TRUSTS |
+        netlogon.NETLOGON_NEG_DNS_DOMAIN_TRUSTS |
+        netlogon.NETLOGON_NEG_PASSWORD_SET2 |
+        netlogon.NETLOGON_NEG_GETDOMAININFO |
+        netlogon.NETLOGON_NEG_CROSS_FOREST_TRUSTS |
+        netlogon.NETLOGON_NEG_SUPPORTS_AES |
+        netlogon.NETLOGON_NEG_AUTHENTICATED_RPC_LSASS |
+        netlogon.NETLOGON_NEG_AUTHENTICATED_RPC)
+    # "0x610FFFFF"
+    netlogon_aes_flags_str = "0x%08X" % netlogon_aes_flags
 
     def setUp(self):
         super().setUp()
@@ -1129,7 +1155,8 @@ class AuthLogTests(samba.tests.auth_log_base.AuthLogTestBase):
         password = os.environ["PASSWORD"]
         samlogon = "samlogon %s %s %s %d" % (user, password, workstation, 1)
 
-        call(["bin/rpcclient", "-c", samlogon, "-U%", server])
+        call(["bin/rpcclient", "-c", samlogon, "-U%", server,
+             "--option=clientusekrb5netlogon=no"])
 
         messages = self.waitForMessages(isLastExpectedMessage)
         messages = self.remove_netlogon_messages(messages)
@@ -1137,6 +1164,11 @@ class AuthLogTests(samba.tests.auth_log_base.AuthLogTestBase):
         self.assertIn(received, [4, 5],
                       "Did not receive the expected number of messages")
 
+        msg = messages[-1]
+        self.assertEqual("Authentication", msg["type"])
+        self.assertEqual(self.netlogon_aes_flags_str,
+                         msg["Authentication"]["netlogonNegotiateFlags"])
+
     def test_samlogon_interactive_bad_password(self):
 
         workstation = "AuthLogTests"
@@ -1161,7 +1193,8 @@ class AuthLogTests(samba.tests.auth_log_base.AuthLogTestBase):
         password = "badPassword"
         samlogon = "samlogon %s %s %s %d" % (user, password, workstation, 1)
 
-        call(["bin/rpcclient", "-c", samlogon, "-U%", server])
+        call(["bin/rpcclient", "-c", samlogon, "-U%", server,
+             "--option=clientusekrb5netlogon=no"])
 
         messages = self.waitForMessages(isLastExpectedMessage)
         messages = self.remove_netlogon_messages(messages)
@@ -1169,6 +1202,11 @@ class AuthLogTests(samba.tests.auth_log_base.AuthLogTestBase):
         self.assertIn(received, [4, 5],
                       "Did not receive the expected number of messages")
 
+        msg = messages[-1]
+        self.assertEqual("Authentication", msg["type"])
+        self.assertEqual(self.netlogon_aes_flags_str,
+                         msg["Authentication"]["netlogonNegotiateFlags"])
+
     def test_samlogon_interactive_bad_user(self):
 
         workstation = "AuthLogTests"
@@ -1193,7 +1231,8 @@ class AuthLogTests(samba.tests.auth_log_base.AuthLogTestBase):
         password = os.environ["PASSWORD"]
         samlogon = "samlogon %s %s %s %d" % (user, password, workstation, 1)
 
-        call(["bin/rpcclient", "-c", samlogon, "-U%", server])
+        call(["bin/rpcclient", "-c", samlogon, "-U%", server,
+             "--option=clientusekrb5netlogon=no"])
 
         messages = self.waitForMessages(isLastExpectedMessage)
         messages = self.remove_netlogon_messages(messages)
@@ -1201,6 +1240,11 @@ class AuthLogTests(samba.tests.auth_log_base.AuthLogTestBase):
         self.assertIn(received, [4, 5],
                       "Did not receive the expected number of messages")
 
+        msg = messages[-1]
+        self.assertEqual("Authentication", msg["type"])
+        self.assertEqual(self.netlogon_aes_flags_str,
+                         msg["Authentication"]["netlogonNegotiateFlags"])
+
     def test_samlogon_network(self):
 
         workstation = "AuthLogTests"
@@ -1223,7 +1267,8 @@ class AuthLogTests(samba.tests.auth_log_base.AuthLogTestBase):
         password = os.environ["PASSWORD"]
         samlogon = "samlogon %s %s %s %d" % (user, password, workstation, 2)
 
-        call(["bin/rpcclient", "-c", samlogon, "-U%", server])
+        call(["bin/rpcclient", "-c", samlogon, "-U%", server,
+             "--option=clientusekrb5netlogon=no"])
 
         messages = self.waitForMessages(isLastExpectedMessage)
         messages = self.remove_netlogon_messages(messages)
@@ -1231,6 +1276,11 @@ class AuthLogTests(samba.tests.auth_log_base.AuthLogTestBase):
         self.assertIn(received, [4, 5],
                       "Did not receive the expected number of messages")
 
+        msg = messages[-1]
+        self.assertEqual("Authentication", msg["type"])
+        self.assertEqual(self.netlogon_aes_flags_str,
+                         msg["Authentication"]["netlogonNegotiateFlags"])
+
     def test_samlogon_network_bad_password(self):
 
         workstation = "AuthLogTests"
@@ -1254,7 +1304,8 @@ class AuthLogTests(samba.tests.auth_log_base.AuthLogTestBase):
         password = "badPassword"
         samlogon = "samlogon %s %s %s %d" % (user, password, workstation, 2)
 
-        call(["bin/rpcclient", "-c", samlogon, "-U%", server])
+        call(["bin/rpcclient", "-c", samlogon, "-U%", server,
+             "--option=clientusekrb5netlogon=no"])
 
         messages = self.waitForMessages(isLastExpectedMessage)
         messages = self.remove_netlogon_messages(messages)
@@ -1285,7 +1336,8 @@ class AuthLogTests(samba.tests.auth_log_base.AuthLogTestBase):
         password = os.environ["PASSWORD"]
         samlogon = "samlogon %s %s %s %d" % (user, password, workstation, 2)
 
-        call(["bin/rpcclient", "-c", samlogon, "-U%", server])
+        call(["bin/rpcclient", "-c", samlogon, "-U%", server,
+             "--option=clientusekrb5netlogon=no"])
 
         messages = self.waitForMessages(isLastExpectedMessage)
         messages = self.remove_netlogon_messages(messages)
@@ -1293,6 +1345,11 @@ class AuthLogTests(samba.tests.auth_log_base.AuthLogTestBase):
         self.assertIn(received, [4, 5],
                       "Did not receive the expected number of messages")
 
+        msg = messages[-1]
+        self.assertEqual("Authentication", msg["type"])
+        self.assertEqual(self.netlogon_aes_flags_str,
+                         msg["Authentication"]["netlogonNegotiateFlags"])
+
     def test_samlogon_network_mschap(self):
 
         workstation = "AuthLogTests"
@@ -1317,7 +1374,8 @@ class AuthLogTests(samba.tests.auth_log_base.AuthLogTestBase):
         samlogon = "samlogon %s %s %s %d 0x00010000" % (
             user, password, workstation, 2)
 
-        call(["bin/rpcclient", "-c", samlogon, "-U%", server])
+        call(["bin/rpcclient", "-c", samlogon, "-U%", server,
+             "--option=clientusekrb5netlogon=no"])
 
         messages = self.waitForMessages(isLastExpectedMessage)
         messages = self.remove_netlogon_messages(messages)
@@ -1325,6 +1383,11 @@ class AuthLogTests(samba.tests.auth_log_base.AuthLogTestBase):
         self.assertIn(received, [4, 5],
                       "Did not receive the expected number of messages")
 
+        msg = messages[-1]
+        self.assertEqual("Authentication", msg["type"])
+        self.assertEqual(self.netlogon_aes_flags_str,
+                         msg["Authentication"]["netlogonNegotiateFlags"])
+
     def test_samlogon_network_mschap_bad_password(self):
 
         workstation = "AuthLogTests"
@@ -1350,7 +1413,8 @@ class AuthLogTests(samba.tests.auth_log_base.AuthLogTestBase):
         samlogon = "samlogon %s %s %s %d 0x00010000" % (
             user, password, workstation, 2)
 
-        call(["bin/rpcclient", "-c", samlogon, "-U%", server])
+        call(["bin/rpcclient", "-c", samlogon, "-U%", server,
+             "--option=clientusekrb5netlogon=no"])
 
         messages = self.waitForMessages(isLastExpectedMessage)
         messages = self.remove_netlogon_messages(messages)
@@ -1358,6 +1422,11 @@ class AuthLogTests(samba.tests.auth_log_base.AuthLogTestBase):
         self.assertIn(received, [4, 5],
                       "Did not receive the expected number of messages")
 
+        msg = messages[-1]
+        self.assertEqual("Authentication", msg["type"])
+        self.assertEqual(self.netlogon_aes_flags_str,
+                         msg["Authentication"]["netlogonNegotiateFlags"])
+
     def test_samlogon_network_mschap_bad_user(self):
 
         workstation = "AuthLogTests"
@@ -1383,7 +1452,8 @@ class AuthLogTests(samba.tests.auth_log_base.AuthLogTestBase):
         samlogon = "samlogon %s %s %s %d 0x00010000" % (
             user, password, workstation, 2)
 
-        call(["bin/rpcclient", "-c", samlogon, "-U%", server])
+        call(["bin/rpcclient", "-c", samlogon, "-U%", server,
+             "--option=clientusekrb5netlogon=no"])
 
         messages = self.waitForMessages(isLastExpectedMessage)
         messages = self.remove_netlogon_messages(messages)
@@ -1391,6 +1461,11 @@ class AuthLogTests(samba.tests.auth_log_base.AuthLogTestBase):
         self.assertIn(received, [4, 5],
                       "Did not receive the expected number of messages")
 
+        msg = messages[-1]
+        self.assertEqual("Authentication", msg["type"])
+        self.assertEqual(self.netlogon_aes_flags_str,
+                         msg["Authentication"]["netlogonNegotiateFlags"])
+
     def test_samlogon_schannel_seal(self):
 
         workstation = "AuthLogTests"
@@ -1413,7 +1488,8 @@ class AuthLogTests(samba.tests.auth_log_base.AuthLogTestBase):
         password = os.environ["PASSWORD"]
         samlogon = "schannel;samlogon %s %s %s" % (user, password, workstation)
 
-        call(["bin/rpcclient", "-c", samlogon, "-U%", server])
+        call(["bin/rpcclient", "-c", samlogon, "-U%", server,
+             "--option=clientusekrb5netlogon=no"])
 
         messages = self.waitForMessages(isLastExpectedMessage)
         messages = self.remove_netlogon_messages(messages)
@@ -1430,6 +1506,11 @@ class AuthLogTests(samba.tests.auth_log_base.AuthLogTestBase):
         self.assertEqual("SEAL", msg["Authorization"]["transportProtection"])
         self.assertTrue(self.is_guid(msg["Authorization"]["sessionId"]))
 
+        msg = messages[-1]
+        self.assertEqual("Authentication", msg["type"])
+        self.assertEqual(self.netlogon_aes_flags_str,
+                         msg["Authentication"]["netlogonNegotiateFlags"])
+
     # Signed logons get promoted to sealed, this test ensures that
     # this behaviour is not removed accidentally
     def test_samlogon_schannel_sign(self):
@@ -1455,7 +1536,8 @@ class AuthLogTests(samba.tests.auth_log_base.AuthLogTestBase):
         samlogon = "schannelsign;samlogon %s %s %s" % (
             user, password, workstation)
 
-        call(["bin/rpcclient", "-c", samlogon, "-U%", server])
+        call(["bin/rpcclient", "-c", samlogon, "-U%", server,
+             "--option=clientusekrb5netlogon=no"])
 
         messages = self.waitForMessages(isLastExpectedMessage)
         messages = self.remove_netlogon_messages(messages)
@@ -1472,6 +1554,11 @@ class AuthLogTests(samba.tests.auth_log_base.AuthLogTestBase):
         self.assertEqual("SEAL", msg["Authorization"]["transportProtection"])
         self.assertTrue(self.is_guid(msg["Authorization"]["sessionId"]))
 
+        msg = messages[-1]
+        self.assertEqual("Authentication", msg["type"])
+        self.assertEqual(self.netlogon_aes_flags_str,
+                         msg["Authentication"]["netlogonNegotiateFlags"])
+
 
 if __name__ == '__main__':
     import unittest